In a conventional authentication system, a user enters a personal identification number (PIN) into a device in order to authenticate to an authentication server. For example, a bank customer inserts his bank card into an automatic teller machine (ATM) and types a 4-digit PIN onto a keypad, followed by enter. The PIN is then sent to the bank's authentication server, which determines if the entered PIN is associated with the customer's bank account.
The keypad typically includes digits 0-9 as well as a few additional buttons (e.g., enter, cancel, etc.). Thus, the PIN space contains about 10,000 possible passwords, and the bank customer is able to authenticate by pressing 5 buttons in sequence (i.e., the four digits of the PIN followed by enter).